Xeda Active Directory and

Apple Open Directory Integration

Technology Overview

 

 

Last updated: 7/27/09

 

 

 

 

 

NOTE: IET does not currently support Apple Open Directory integration with Xeda Active Directory. These instructions were developed for a demonstration and do not include security best practices.

Please refer to <http://images.apple.com/server/macosx/docs/Leopard_Server_Security_Config_v10.5.pdf> for Mac OS X Server security practices.

These UCD specific instructions incorporate content from Mike Bombich’s excellent AD/OD tutorial at <http://www.bombich.com/mactips/activedir.html>.

 

Overview

 

These instructions describe how to integrate a Mac OS X Open Directory server into the UCD Campus Active Directory (Xeda) forest.

 

Once your Mac OS X Server has been successfully integrated there are several benefits for environments that are part of the Xeda service and also running Mac OS X Server. Here are the major benefits:

-         Provide kerberos Single Sign On (SSO) to Mac OS X Services such as afp, smb, and vpn.

-         Simplify account provisioning. Utilize campus kerberos accounts instead of managing accounts and passwords departmentally in Open Directory.

-         Manage users based on Active Directory group membership. Nested groups allow you to create an Open Directory group with an Active Directory group as a member.

-         Restrict access to Mac OS X Server services based on Active Directory group membership.

 

Here is an overview of the instructions:

-         Install Mac OS X server in “Advanced Mode”

-         Bind Mac OS X Server to Active Directory

-         Kerberize the Mac OS X Services to enable SSO

-         Promote Mac OS X Server to Open Directory Master

-         Bind a Mac OS X client to Open Directory Master

-         Bind Mac OS X client to Active Directory

 

 

 

 

Step-by-step Instructions

 

1.     Install Mac OS X Server using “Advanced” Configuration

 

 

 

advanced config.png

 

 

2.     Install Software Updates

 

Be sure to update to the most current version of Mac OS X. The Mac OS X Active Directory plug-in did not work as expected pre 10.5.5 (September 2008) in a multi-level Active Directory environment such as Xeda.

 

 

 

3.     Bind the Mac OS X Server to Active Directory

a.     Create the computer object in the AD OU from your Windows OU admin station.

b.     Launch Directory Utility on the Mac OS X server. Select the “Show Advanced Settings” button. Select the “Services” tab, enable “Active Directory” and click the pencil icon to edit.

c.      Enter ou.ad3.ucdavis.edu for Active Directory Domain and enter the name of the computer object for Computer ID.

d.     Configure the User Experience, Mappings, and Administrative tabs as desired and select the Bind button.

 

 

bindservertoAD1.png

 

 

 

4.     Authenticate with your Xeda OU Admin account

a.     Put in the appropriate LDAP string in the Computer OU field for your department.

b.     A dialog titled “Join Existing Account” will appear when the AD plug-in finds the computer object in your OU. Select “OK”.

c.      A dialog titled “Join Kerberos Realm” will appear once you bind to AD. Ignore the instructions in this dialog because the “Join Kerberos” button is inconsistent in the Server Admin tool.

 

LDAP string used for the IET-ATS department:

CN=ATS-OU-Servers,OU=ATS,OU=IET,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=ucdavis,DC=edu

ADpluginbindOUadminauth.png

5.     Verify the Mac OS X Server is bound to Active Directory by running the following terminal commands from your Mac OS X Server.

a.      % dscl /Active\ Directory/All\ Domains –read /Users/username

b.      % dscl /Active\ Directory/All\ Domains –read /Groups/groupname

 

Verify you can read users and groups from both ad3.ucdavis.edu and in ou.ad3.ucdavis.edu.

 

6.     Kerberize Mac OS X services by issuing the following command from the terminal on the Mac OS X Server.

a.     % sudo dsconfigad -enableSSO

 

This will kerberize all Mac OS X Server services that support SSO. These services do not need to be enabled in order to be kerberized.

 

7.     Verify your keytab has entries by running the following command from the terminal.

a.     % sudo klist -ke

 

You should see three entries per Kerberos realm for each service offered in Mac OS X Server (there should be about a dozen unique services).

 

 

 

 

 

 

 

 

 

 

 

 

 

8.     Promote the Mac OS X Server to an Open Directory Master.

a.     Enable the Open Directory service using the Server Admin utility.

b.     Select the Open Directory Settings tab, click the “Change…” button next to the “Role:” field.

 

Mac:Users:quico:Desktop:presentation images:promoteODtomaster1.png

 

 

 

 

 

c.      Select “Open Directory Master” as the desired server type.

 

Mac:Users:quico:Desktop:presentation images:promoteODmaster2.png

 

d.     You will be prompted to create an Open Directory master directory admin account.

 

 

9.     Bind a Mac OS X client to the Open Directory master. Bind the Mac OS X client to the Open Directory master first, then bind to Active Directory, otherwise MCX settings and augmented records may be ignored.

a.     Launch Directory Utility from the Mac OS X Client and select the + icon.

b.     Select “Open Directory” and enter the Mac OS X server name and select “OK”.

 

10.                         Bind a Mac OS X client to Active Directory.

a.     Create the computer object in your Active Directory OU from your Windows OU admin station.

b.     In Directory Utility on the Mac OS X client. Select the “Show Advanced Settings” button. Select the “Services” tab, enable “Active Directory” and click the pencil icon to edit.

c.      Enter ou.ad3.ucdavis.edu for the Active Directory Domain and enter the computer object name for Computer ID

d.     Configure the User Experience, Mappings, and Administrative tabs as desired and select the Bind button.

 

Mac:Users:quico:Desktop:presentation images:bindclienttoAD.png

 

11.                        Authenticate with your Xeda OU Admin account

a.     Put in the appropriate LDAP string in the Computer OU field for your department.

b.     A dialog titled “Join Existing Account” will pop up when the AD plug-in finds the computer object in your OU. Select “OK”.

LDAP string used for the IET-ATS department:

CN=ATS-OU-Computers,OU=ATS,OU=IET,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=ucdavis,DC=edu

 

You should now be able to login to your Mac OS X client using your Kerberos account. Once you configure and enable kerberized Mac OS X services you will be able to access them with SSO.

 

Known Issues:

When connecting to a Mac OS X service such as afp or smb the Active Directory plug-in on the Mac OS X client creates the kerberos principals using the “Computer ID” and prepends it to the AD domain ou.ad3.ucdavis.edu. This issue prevents SSO from working when attempting to connect to servername.ucdavis.edu. If you connect to servername.ou.ad3.ucdavis.edu then SSO works as expected.

 

A workaround is to create a DNS “A record” for your Mac OS X Server’s IP address with the DNS name servername.ou.ad3.ucdavis.edu with an alias of servername.ucdavis.edu.

 

Another issue that currently does not have a workaround is authentication delays for Mac OS X clients that are bound to Active Directory from off campus. Due to specific Microsoft ports that are blocked for off campus IPs the Mac OS X client does not appropriately utilized its cached credentials when authenticating at the login prompt or when waking up from sleep.